The Future of Email Security in the Cloud: Why Perimeter Protection is No Longer Effective

In the second installment of this four-part series we will highlight the need for further protection beyond gateways. (To start at the beginning of the series, click here. To download the entire series, check out our “Future of Email Security in the Cloud” white paper.)

While gateways were once relatively effective, email threats have become more advanced thus requiring more advanced protection. As mentioned in the previous blog post, security threat schemes are implementing stealthy characteristics which allow attacks to slip pass the gateway and present significant danger to your business.

Much like a firewall provides network security at the perimeter, secure email gateways (SEGs) serve as a similar layer of protection from external threats. Functioning as a filter for inbound emails, these solutions were—and remain—highly focused on protecting the business group from external threats.

Protection at the Perimeter: The Rise and Fall of Secure Email Gateways (SEGs)

Early gateways also incorporated archiving functionality, which saved and protected historical data. This not only provided redundancy in case of outages, it prevented data loss due to system failure, allowed for e-discovery and satisfied compliance requirements.

The SEG uses tactics such as sender reputation filters, URL filters, spam filters, and web scanners to identify known threats. Over the years, SEGs gained new features and capabilities, from encryption to advanced threat detection and remediation, but the approach has largely remained binary. Even for the more advanced solutions that incorporated threat intelligence, efficacy is dependent upon point-in-time knowledge about a specific threat. Emails enter the organization’s network, passthrough the gateway and when an email meets conditions XYZ, it is deleted, quarantined, or addressed according to some other policy-based action determined by the organization. Success is assumed based on binary conditions having been met.

Despite being in the cloud, integrated email security features such as what’s offered in G Suite Enterprise or through Microsoft Advanced Threat Protection (ATP), operate in a very similar fashion.

Although industry authentication protocols, such as sender policy framework (SPF), domain keys identified mail (DKIM) and even Domain-based Message Authentication, Reporting and Conformance (DMARC) are helpful authentication tools16, many organizations lack the technical talent to accurately implement and configure, rendering them inadequate as sole arbiters of safe versus unsafe emails. The 2017 Online Trust Audit and Honor Roll showed that only 35 percent of banking institutions are effectively leveraging the DKIM protocol for top-level domains. Only 53% of retailers are doing the same and overall adoption falls around 56%.

DMARC relies on the proper configuration of both SPK and DKIM, making it even more complex to implement, accounting for a disappointing adoption rate of just 15 percent overall. Even when effectively leveraged, these protocols cannot detect impersonation attacks that use popular free emails services, such as Hotmail or consumer-facing Gmail to mimic email addresses. Because Microsoft and Google properly authenticate these accounts, they pass authentication protocols with no issue.

Additionally, this linear approach makes it nearly impossible to detect more sophisticated attacks, such as business email compromise and other impersonation attacks. These attacks are missing the key components typically used to identify threats, such as attachments or known malicious sender information or URLs.

Because SEGs— and even the integrated email security features within Office 365 and G Suite—assume success based on binary factors, they lack an enhanced means of remediation beyond quarantine. Even those that incorporate threat intelligence from external sources can only act on information that is known. Because zero-days are, by definition, threats that have not yet been publicly identified, it is impossible for threat-intelligence-heavy methods to detect and prevent them—this is where your organization would benefit from having well trained employees.

Stay tuned for the next post in this series—we’ll focus on equipping employees to better understand threats. A well-trained employee is equally as important as an advanced protection system. It is important that both employees and threat protection systems work in tandem to provide the strongest protection for your business.

To read the entire series prior to posting, download our companion white paper.